03/27/2014

Avoid Email & Credit Card Processing Phishing Scams

“You’ve got mail.”  Remember when that was a good thing?  Unfortunately, it now often means you’re someone’s target.  Some are obvious.  No Nigerian prince wants to send you buckets of money for a favor.  Others are more subtle.  So how do you identify scams?  Here are some tips:

  1. Never click on embedded links or open suspicious attachments.  One common scam involves hacking an individual’s email account to steal address lists.  If you receive an email from someone you know, but it only contains one line, a link to another site, don’t click on it.  Likewise, never open an attachment.  Instead, if you’re not sure it’s legitimate, contact the sender separately asking if he/she sent the original email or if it was an address book theft. 
  2. Don’t react to threats.  Another popular scam is a threat that your account will be closed if you don’t respond to the email.  Cybercriminals often use threats that your security has been compromised and ask you to click on a link to update your profile.  If the threat comes from a company with which you have no relationship, it’s easy.  Hit ‘Delete.’  However, if the email seems to be from a legitimate company, contact that company via a separate action, like logging onto the company’s website or calling the company to inquire about the email.  You can also hover your cursor over the link to see the address of the site to which you’ll be redirected.
  3. Be suspicious of spelling and grammar errors.  Legitimate businesses have staff who proofread mass emails carefully before they are released.  Cyber attackers are not known for their grammar and spelling.
  4. Be savvy about emails that solicit donations of goods or money.  As a business owner, develop good practices about charitable donations, and never respond to an email-only solicitation.

But it’s not just email.  As business owners, you also need to have strong credit card acceptance policies, particularly telephone orders.   Non-face-to-face purchases are common, but the credit card companies have given you some tools to protect your business. 

  1. Ask for the cardholder’s Card Verification Value/Code (CVV/CVC).  These are the 3 or 4 digit numbers that are printed on the payment card (3 digits for Visa, MasterCard, and Discover and 4 digits for American Express).  Payment account numbers can be stolen, but CVV/CVC numbers are generally only known if the card is physically in hand.
  2. Perform an Address Verification.  In a non-face-to-face environment, always obtain the cardholder’s physical mailing address and include the appropriate data when running the credit card authorization.
  3. Match purchases and credits.  The card association rules state that if a refund is to be made, it must be processed on the same payment card as was used for the original purchase.  One scam we’ve recently heard about is an individual calling in a substantial order and then calling back later to cancel the order but providing a different account number for the refund.  Do not fall prey.

02/14/2014

What to Look for in a Mobile Payment Solution

Given that mobile devices are pretty much everywhere these days, it was inevitable that these gadgets would come to play a role in payment processing.  In fact, several recent surveys have shown that many people see no problem with the use of mobile devices for making payments, and the level of support among the general public seems to be steadily increasing.  If your business doesn’t already utilize mobile devices for payment processing, it’s likely that you’ve given serious thought to adopting this technology as part of your point-of-sale setup.  So what features should be included in a mobile payment solution?  Let’s take a closer look at the subject.

Above all else, a mobile payment solution should provide adequate security.  Data processed on an insecure mobile card reading device can be compromised in several ways.  Customer information may be intercepted by hackers as it is transmitted, or the device itself might be stolen; either event could provide a gold mine for criminals searching for credit card numbers.  Therefore, any mobile payment solution should be sure to utilize a device that has point-to-point encryption (P2PE).

02/12/2014

What Is a PCI Level 4 Merchant?

Small business owners often find themselves overwhelmed by the myriad aspects of running a viable company—there are many rules and procedures to worry about and, frequently, not enough personnel to ensure that everything gets done properly.  For these harried entrepreneurs, the PCI Data Security Standard (PCI DSS) can seem like just another burden with which to be contended.  But it’s important to keep in mind that PCI compliance is important , and it’s easier than one thinks for small businesses to conform to the Standard.  In part, this is because the major card brands classify merchants according to the volume of business they generate.  Businesses of all sizes are expected to maintain PCI compliance, but a small storefront shop is not held to the same reporting requirements as a huge nationwide chain.  Small businesses are generally classified as PCI Level 4 merchants, which means relatively few reporting demands.

Let’s take a closer look at PCI levels.  If your business handles cardholder data, then each of the payment brands you deal with—e.g., Visa, MasterCard—will assign your company a PCI level on a scale that runs from one to four.  The specific level will depend on the annual number of payment card transactions processed by a given business. 

For example, Visa considers a Level One merchant to be any business that processes six million or more Visa transactions in a year.  On the other end of the scale, a Level Four merchant is one that annually processes fewer than 20,000 Visa e-commerce transactions and fewer than one million Visa transactions of all kinds.  Many small businesses fall into the Level 4 category.

So what does this mean for your business?  As a Level Four merchant you only need to  complete two reporting requirements: 

  • Complete the Self-Assessment Questionnaire (SAQ) every year 
  • Pass an Approved Scanning Vendor  (ASV) network scan every quarter

Search Blog


Your email address:

Bookmark and Share




Resources

About PCI DSS Compliance Blog

Email Us

PCI Compliance Resources

Industry News on Twitter


Visit Element on